Australian Banks Password Policy
I’ve got a few bank accounts that I access online with a few different companies, which is not uncommon. What is uncommon in the Enterprise space, which I found out is in quite a lot of online banks is the lack of decent password policy.
All the banks obviously have a password policy. What I found, in 3 out of the 5 places I tried to change my password, was that they would NOT allow >8 characters for a password.
Limiting to a user to 1 - 8 characters seems pointless, why not have it from 1 - 16,32,64,128,256, etc.
It’s cases like this where I believe the policy should stipulate minimums and if I wish to exceed them, I should be allowed to.
A longer password is generally considered more secure. The banks only keeps a hashed password, I can not see any need to limit users to 8 characters.
Whilst talking about passwords, it’d be really nice to see more banks following HSBC’s lead by providing 2 factor authentication.
In the long run, it may be cheaper from the banks, as there will be fewer cases of fraud/hacked accounts/transactions.
Update:-
Following are some additional industry-recognized security recommendations for creating passwords(Found in the Sun Certified Security Administrator Version 10 Study guide):
*Passwords should be at least eight characters long.
*Passwords should contain at least
*One alpha character (a–z, A–Z)
*One numeric character (0–9)
*One special character from this set:` ! @ $ % ^ & * ( ) - _ = + [ ] ; : ‘ ” , < . > / ?
*Passwords should not contain spaces, begin with an exclamation (!) or a question mark (?), or contain the login ID.
*The first three characters of the password should not be the same, and the sequence of the first three characters should not be in the login ID.
*The first eight characters of the new password should not be the same as the previous password.